From eabf99b8d8ba1feb3117a1025d061f28af752b9d Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Wed, 9 Jun 2021 00:04:28 +0100
Subject: [PATCH 1/4] python3Packages.datasette: add patch for CVE-2021-32670

enable included test
---
 pkgs/development/python-modules/datasette/default.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pkgs/development/python-modules/datasette/default.nix b/pkgs/development/python-modules/datasette/default.nix
index 1d919de6ee8..19762d32fd7 100644
--- a/pkgs/development/python-modules/datasette/default.nix
+++ b/pkgs/development/python-modules/datasette/default.nix
@@ -1,6 +1,7 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
+, fetchpatch
 , aiofiles
 , asgi-csrf
 , click
@@ -36,6 +37,14 @@ buildPythonPackage rec {
     sha256 = "sha256-Ixh56X9dI/FIJPXHXXGnFiYj3qeBmvW5L1FF7/0ofUQ=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-32670.patch";
+      url = "https://github.com/simonw/datasette/commit/26fc539312bca2551b6f048b6bcf4ffbb491289f.patch";
+      sha256 = "1d4yy6dqb4l7y0c5xpdvl66522ckdb34wnqvzqw73pdl2hr5jsml";
+    })
+  ];
+
   nativeBuildInputs = [ pytestrunner ];
 
   propagatedBuildInputs = [
@@ -80,6 +89,8 @@ buildPythonPackage rec {
   # just run the csv tests, as this should give some indictation of correctness
   pytestFlagsArray = [
     "tests/test_csv.py"
+    # covers patched CVE-2021-32670
+    "tests/test_html.py"
   ];
   disabledTests = [
     "facet"

From f77d176ec63a1a78aa6c8a21aa43dc2188c73daa Mon Sep 17 00:00:00 2001
From: Andrew Childs <lorne@cons.org.nz>
Date: Tue, 29 Jun 2021 10:52:55 +0900
Subject: [PATCH 2/4] root: use pure CoreSymbolication on Darwin

The current build works by linking against CoreSymbolication in
/System/Library/PrivateFrameworks. This is impure and doesn't work in
newer versions of macOS.

See https://github.com/NixOS/nixpkgs/issues/128576

(cherry picked from commit 55dcd998597257714c4a5362c14845a9363dde66)
---
 pkgs/applications/science/misc/root/default.nix | 8 ++++++--
 pkgs/os-specific/darwin/apple-sdk/default.nix   | 2 +-
 pkgs/top-level/all-packages.nix                 | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/pkgs/applications/science/misc/root/default.nix b/pkgs/applications/science/misc/root/default.nix
index 20b239dc677..bda202f52bc 100644
--- a/pkgs/applications/science/misc/root/default.nix
+++ b/pkgs/applications/science/misc/root/default.nix
@@ -2,7 +2,7 @@
 , libX11, libXpm, libXft, libXext, libGLU, libGL, libxml2, lz4, xz, pcre
 , pkg-config, python, xxHash, zlib, zstd
 , libAfterImage, giflib, libjpeg, libtiff, libpng
-, Cocoa, OpenGL, noSplash ? false }:
+, Cocoa, CoreSymbolication, OpenGL, noSplash ? false }:
 
 stdenv.mkDerivation rec {
   pname = "root";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ makeWrapper cmake pkg-config llvm_5.dev ];
   buildInputs = [ ftgl gl2ps glew pcre zlib zstd llvm_5 libxml2 lz4 xz gsl xxHash libAfterImage giflib libjpeg libtiff libpng python.pkgs.numpy ]
     ++ lib.optionals (!stdenv.isDarwin) [ libX11 libXpm libXft libXext libGLU libGL ]
-    ++ lib.optionals (stdenv.isDarwin) [ Cocoa OpenGL ]
+    ++ lib.optionals (stdenv.isDarwin) [ Cocoa CoreSymbolication OpenGL ]
     ;
 
   patches = [
@@ -31,6 +31,10 @@ stdenv.mkDerivation rec {
     patchShebangs build/unix/
   '' + lib.optionalString noSplash ''
     substituteInPlace rootx/src/rootx.cxx --replace "gNoLogo = false" "gNoLogo = true"
+  '' + lib.optionalString stdenv.isDarwin ''
+    # Eliminate impure reference to /System/Library/PrivateFrameworks
+    substituteInPlace core/CMakeLists.txt \
+      --replace "-F/System/Library/PrivateFrameworks" ""
   '';
 
   cmakeFlags = [
diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix
index 1b60abf562b..56b77fbf214 100644
--- a/pkgs/os-specific/darwin/apple-sdk/default.nix
+++ b/pkgs/os-specific/darwin/apple-sdk/default.nix
@@ -326,7 +326,7 @@ in rec {
         "Versions/A/Frameworks/WebKitLegacy.framework/Versions/A/WebKitLegacy.tbd"
       ];
     });
-  } // lib.genAttrs [ "ContactsPersistence" "GameCenter" "SkyLight" "UIFoundation" ] (x: tbdOnlyFramework x {});
+  } // lib.genAttrs [ "ContactsPersistence" "CoreSymbolication" "GameCenter" "SkyLight" "UIFoundation" ] (x: tbdOnlyFramework x {});
 
   bareFrameworks = lib.mapAttrs framework (import ./frameworks.nix {
     inherit frameworks libs;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 2b5bd48a6b9..25cb7fb4a94 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -29947,7 +29947,7 @@ in
 
   root = callPackage ../applications/science/misc/root {
     python = python3;
-    inherit (darwin.apple_sdk.frameworks) Cocoa OpenGL;
+    inherit (darwin.apple_sdk.frameworks) Cocoa CoreSymbolication OpenGL;
   };
 
   root5 = lowPrio (callPackage ../applications/science/misc/root/5.nix {

From 0949abcecdbed95f1a525b9b68cc5ffc31f211ba Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Fri, 25 Jun 2021 19:39:33 +0100
Subject: [PATCH 3/4] python3Packages.pydantic: 1.8.1 -> 1.8.2

resolves CVE-2021-29510

(cherry picked from commit 7bc6972957203c0857a1e1618c78368e898a4f40)
---
 pkgs/development/python-modules/pydantic/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/pydantic/default.nix b/pkgs/development/python-modules/pydantic/default.nix
index 11879159b4f..69a080c1d71 100644
--- a/pkgs/development/python-modules/pydantic/default.nix
+++ b/pkgs/development/python-modules/pydantic/default.nix
@@ -12,14 +12,14 @@
 
 buildPythonPackage rec {
   pname = "pydantic";
-  version = "1.8.1";
+  version = "1.8.2";
   disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "samuelcolvin";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1zvcmx3927fgx37gdhi8g8igvrkri1v78rn3118p4wssqhgfwa6n";
+    sha256 = "06162dss6mvi7wiy2lzxwvzajwxgy8b2fyym7qipaj7zibcqalq2";
   };
 
   propagatedBuildInputs = [

From 21b696caf392ad6fa513caf3327d0aa0430ffb72 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Fri, 25 Jun 2021 19:40:33 +0100
Subject: [PATCH 4/4] python3Packages.fastapi: 0.65.0 -> 0.65.2

resolves CVE-2021-32677

(cherry picked from commit f582fd647537619424e49edbb2fad36c20889194)
---
 pkgs/development/python-modules/fastapi/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/fastapi/default.nix b/pkgs/development/python-modules/fastapi/default.nix
index 0f1c7ec6bdc..b804d4943b2 100644
--- a/pkgs/development/python-modules/fastapi/default.nix
+++ b/pkgs/development/python-modules/fastapi/default.nix
@@ -17,14 +17,14 @@
 
 buildPythonPackage rec {
   pname = "fastapi";
-  version = "0.65.0";
+  version = "0.65.2";
   format = "flit";
 
   src = fetchFromGitHub {
     owner = "tiangolo";
     repo = "fastapi";
     rev = version;
-    sha256 = "sha256-DPfijCGORF3ThZblqaYTKN0H8+wlhtdIS8lfKfJl/bY=";
+    sha256 = "032srvbfdy02m1b664x67lkdcx6b2bd4c9a9cb176lscjk213240";
   };
 
   postPatch = ''